本文介绍了SaltStack自动化管理工具的使用,包括安装部署服务、自动化部署httpd和nginx、haproxy负载均衡的配置。详细阐述了grains和pillar的概念,以及如何利用jinja模板动态更改配置。通过实例展示了在minion服务器上执行命令、推送配置文件和监控状态。
SaltStack管理工具允许管理员对多个操作系统创建一个一致的管理系统
SaltStack作用于仆从和主拓扑。SaltStack与特定的命令结合使用可以在一个或多个下属执行。实现这一点,此时Salt Master可以发出命令,如salt ‘*’ cmd.run ‘ls -l /’。
除了运行远程命令,SaltStack允许管理员使用“grain”。grain可以在SaltStack仆从运行远程查询,因此收集仆从的状态信息并允许管理员在一个中央位置存储信息。SaltStack也可以帮助管理员定义目标系统上的期望状态。这些状态在应用时会用到.sls文件,其中包含了如何在系统上获得所需的状态非常具体的要求
实验主机:
master:server9 —–>172.25.25.9
minion:server10 —> 172.25.25.10
minion:server8 —–>172.25.25.8
1.安装部署服务
server9
[root@server9 ~]# yum install salt-master
[root@server9 ~]# /etc/init.d/salt-master start
Starting salt-master daemon: [ OK ]
server10
[root@server10 ~]# yum install salt-minion
[root@server10 ~]# cd /etc/salt/
[root@server10 salt]# vim minion
master: 172.25.25.9 #master的ip
[root@server10 salt]# /etc/init.d/salt-minion start
Starting salt-minion:root:server10 daemon: OK
server9
查看:
[root@server9 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys: #server10不被接
server10
Rejected Keys:
# 传公钥
[root@server9 ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
server10
Proceed? [n/Y] Y
Key for minion server10 accepted.
# 再次查看
[root@server9 ~]# salt-key -L
Accepted Keys:
server10
Denied Keys:
Unaccepted Keys:
Rejected Keys:
# 测试:
[root@server9 ~]# salt server10 test.ping
server10:
True
查看公钥
master(server9)
[root@server9 ~]# cd /etc/salt/pki/
[root@server9 pki]# ll
total 8
drwx------ 7 root root 4096 Aug 17 09:28 master
drwxr-xr-x 2 root root 4096 Feb 24 2017 minion
[root@server9 pki]# cd master/
[root@server9 master]# md5sum master.pub
d4fe65c78a791980030b10a730044818 master.pub
[root@server9 master]# cd minions
[root@server9 minions]# ls
server10
[root@server9 minions]# md5sum server10
e2dfc456495b754bbbfc58f7dca92114 server10
minion(server10)
[root@server10 salt]# cd /etc/salt/pki/
[root@server10 pki]# ll
total 8
drwxr-xr-x 2 root root 4096 Feb 24 2017 master
drwx------ 2 root root 4096 Aug 17 09:29 minion
[root@server10 pki]# cd master/
[root@server10 master]# ls
[root@server10 master]# cd ../minion/
[root@server10 minion]# ls
minion_master.pub minion.pem minion.pub
[root@server10 minion]# md5sum minion_master.pub
d4fe65c78a791980030b10a730044818 minion_master.pub
[root@server10 minion]# md5sum minion.pub
e2dfc456495b754bbbfc58f7dca92114 minion.pub
查看数据走向
[root@server9 minions]# netstat -antlp
[root@server9 minions]# yum install -y lsof
[root@server9 minions]# lsof -i :4505
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 1434 root 16u IPv4 14141 0t0 TCP *:4505 (LISTEN)
salt-mast 1434 root 18u IPv4 16464 0t0 TCP server9:4505->server10:59824 (ESTABLISHED)
[root@server9 minions]# lsof -i :4506
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 1441 root 24u IPv4 14150 0t0 TCP *:4506 (LISTEN
查看进程具体名称
[root@server9 minions]# yum install -y python-setproctitle
[root@server9 minions]# /etc/init.d/salt-master restart
[root@server9 salt]# ps zx
2.salkstack自动化部署httpd
[root@server9 minions]# cd /etc/salt/
[root@server9 salt]# vim master
file_roots:
base:
- /srv/salt
[root@server9 salt]# /etc/init.d/salt-master restart
# 建立目录
[root@server9 salt]# mkdir /srv/salt
[root@server9 salt]# cd /srv/salt/
[root@server9 salt]# mkdir httpd
[root@server9 salt]# cd httpd/
# 编写安装文件
[root@server9 httpd]# vim install.sls
httpd-install:
pkg.installed:
- pkgs:
- httpd
- php
service.running:
- name: httpd
- enable: True
- reload: True
# 推送给server10
[root@server9 httpd]# salt server10 state.sls httpd.install
/etc/salt/master文件内容:
/srv/salt/httpd/install.sls文件内容
查看server10上是否有httpd端口
[root@server10 salt]# netstat -antlp
tcp 0 0 :::80 :::* LISTEN 2023/httpd 
server9
完善安装文件:
[root@server9 httpd]# vim install.sls
httpd-install:
pkg.installed:
- pkgs:
- httpd
- php
file.managed:
- name: /etc/httpd/conf/httpd.conf
- source: salt://httpd/files/httpd.conf
- mode: 644
- user: root
service.running:
- name: httpd
- enable: True
- reload: True
- watch:
- file: httpd-install
[root@server9 httpd]# mkdir files
[root@server9 httpd]# cd files/
[root@server9 files]# ls
从server10 拷贝配置文件给server9
[root@server10 salt]# scp /etc/httpd/conf/httpd.conf server9:/srv/salt/httpd/files/
# 在server9更改端口
[root@server9 httpd]# cd files/
[root@server9 files]# vim httpd.conf
Listen 8080
# 查看
[root@server9 files]# md5sum httpd.conf
b7ca7a0e786418ba7b5ad84efac70265 httpd.conf
# server10查看
[root@server10 salt]# cd /etc/httpd/conf
[root@server10 conf]# md5sum httpd.conf
27a5c8d9e75351b08b8ca1171e8a0bbd httpd.conf #与server9不同
再推送给server10
[root@server9 httpd]# salt server10 state.sls httpd.install
# 再次在server10查看,与server9一致
[root@server10 conf]# md5sum httpd.conf
b7ca7a0e786418ba7b5ad84efac70265 httpd.conf
[root@server10 conf]# netstat -antlp
tcp 0 0 :::8080 :::* LISTEN 2023/httpd 
3.salkstack自动化部署nginx
再打开一个虚拟机,按照第一步server10的配置,与server10一致,同样在server9上执行salt-key -A
接下来就是做以下配置
[root@server9 salt]# mkdir nginx # 建立nginx 目录
[root@server9 salt]# cd nginx/ # 进入目录
[root@server9 nginx]# mkdir files
[root@server9 nginx]# mv /mnt/nginx-1.14.0.tar.gz /srv/salt/nginx/files
[root@server9 nginx]# cd files
编辑安装编译脚本
[root@server9 salt]# mkfir pkgs
[root@server9 salt]# cd pkgs
[root@server9 pkgs]# vim make.sls
make-gss:
pkg.installed:
- pkgs:
- pcre-devel
- openssl-devel
- gcc
[root@server9 nginx]# vim install.sls
编辑如下:
include:
- pkgs.make
nginx_install:
file.managed:
- name: /root/nginx-1.14.0.tar.gz
- source: salt://nginx/files/nginx-1.14.0.tar.gz
cmd.run:
- name: cd /root/ && tar zxf nginx-1.14.0.tar.gz && cd nginx-1.14.0 && sed -i.bak 's/#define NGINX_VER "nginx\/" NGINX_VERSION/#define NGINX_VER "nginx"/g' src/core/nginx.h && sed -i.bak 's/CFLAGS="$CFLAGS -g"/#CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx --with-file-aio --with-threads --with-http_ssl_module --with-http_stub_status_module &> /dev/null && make &>/dev/null && make install &>/dev/null
- creates: /usr/local/nginx
编辑完成,向minion(server8)推送
[root@server9 salt]# salt server8 state.sls nginx.install
推送成功,server3上nginx编译安装完成
编辑用户脚本
在/srv/salt 下建立专门用来建立服务用户的脚本
[root@server9 salt]# mkdir users
[root@server9 salt]# cd users
[root@server9 users]# vim nginx.sls
编辑内容如下:
nginx-group:
group.present:
- name: nginx
- gid: 800
nginx-user:
user.present:
- name: nginx
- uid: 800
- gid: 800
- shell: /sbin/nologin
- createhome: False
- home: /usr/local/nginx 
进行服务启动相关脚本的编写
[root@server1 salt]# vim nginx/service.sls
include:
- nginx.install
- users.nginx
- pkgs.make
/usr/local/nginx/conf/nginx.conf:
file.managed:
- source: salt://nginx/files/nginx.conf
nginx-service:
file.managed:
- name: /etc/init.d/nginx
- source: salt://nginx/files/nginx
- mode: 755
service.running:
- name: nginx
- reload: True
- watch:
- file: /usr/local/nginx/conf/nginx.conf
进行推送
[root@server1 salt]# salt server8 nginx.service
4.saltstack自动化部署haproxy负载均衡
在server9也做salt-minion的相关配置
从yum install salt-minion开始,做好salt-minion的配置
接下来,部署haproxy
[root@server9 salt]# mkdir haproxy
[root@server9 salt]# cd haproxy
[root@server9 haproxy]# mkdir files
[root@server9 haproxy]# vim install.sls
haproxy-install:
pkg.installed:
- pkgs:
- haproxy
# 推送给server9
[root@server9 haproxy]# salt server9 state.sls haproxy.install
[root@server9 haproxy]# vim install.sls
haproxy-install:
pkg.installed:
- pkgs:
- haproxy
file.managed:
- name: /etc/haproxy/haproxy.cfg
- source: salt://haproxy/files/haproxy.cfg
service.running:
- name: haproxy
- reload: True
- watch:
- file: haproxy-install
[root@server9 haproxy]# cp /etc/haproxy/haproxy.cnf ./files/
[root@server9 haproxy]# cd files/
# 推送给server9
[root@server9 files]# salt server9 state.sls haproxy.installinstall.sls文件内容:
# 在/srv/salt下
[root@server9 salt]# vim top.sls
base:
'server8':
- nginx.service
'server9':
- haproxy.install
'server10':
- httpd.install# 在/srv/salt/haproxy/files下
[root@server9 files]# vim haproxy.cfg
frontend main *:80
default_backend app
backend app
balance roundrobin
server app1 172.25.25.8:80 check
server app2 172.25.25.10:80 check
测试
server10(apache)
[root@server10 ~]# vim /var/www/html/index.html
server10
[root@server10 ~]# /etc/init.d/httpd restart
在浏览器访问172.25.25.100
刷新
5.saltstack之grains
salt 的grains主要是存储静态的数据,主要是minion端的一些数据,比如,hostname,内存大小、IP,CPU等一些数据,主要是存储在minion端的。
minion在启动时会读取grains数据,如果有新的grains数据需要重启minion服务,或者在master端使用salt的命令进行刷新。
在/srv/salt下
[root@server9 salt]# mkdir _grains
[root@server9 salt]# cd _grains/
[root@server9 _grains]# vim test.py
#!/usr/bin/env python
def my_grains():
grains = {}
grains['hello'] = 'world'
grains['salt'] = 'stack'
return grains
[root@server9 _grains]# salt server8 saltutil.sync_grains
[root@server9 _grains]# slat '*' grains.item hello
[root@server9 _grains]# slat '*' grains.item salt
test.py
6.saltstack之pillar
Pillar是在salt 0.9.8版本后才添加的功能组件。它跟grains的结构一样,也是一个字典格式,数据通过key/value的格式进行存储。在Salt的设计中,Pillar使用独立的加密sessiion,所以Pillar可以用来传递敏感的数据,例如ssh-key,加密证书
[root@server9 salt]# mkdir pillar
[root@server9 salt]# cd pillar
[root@server9 pillar]# mkdir web
[root@server9 web]# cd web
[root@server9 web]# vim install.sls
{% if grains['fqdn'] == 'server10' %}
webserver: httpd
{% elif grains['fqdn'] == 'server8' %}
webserver: nginx
{% endif %}/srv/pillar/web/install.sls文件内容
[root@server9 web]# cd ..
[root@server9 pillar]# vim top.sls
base:
'*':
- web.install
[root@server9 pillar]# /etc/init.d/slat-master restart
[root@server9 pillar]# salt '*' saltutil.refresh_pillar
salt '*' pillar.item
/srv/pillar/top.sls文件内容
7.jinja
例如:更改httpd的端口,有多种方法,在这里演示两种
第一种方法:
[root@server9 web]# vim install.sls
{% if grains['fqdn'] == 'server10' %}
webserver: httpd
bind: 172.25.25.10 #定义ip
port: 8080 #定义端口号
{% elif grains['fqdn'] == 'server8' %}
webserver: nginx
{% endif %}
[root@server9 srv]# vim salt/httpd/install.sls
file.managed:
- name: /etc/httpd/conf/httpd.conf
- source: salt://httpd/files/httpd.conf
- mode: 644
- user: root
- template: jinja
- context:
bind: {{ pillar['bind'] }} #取值为/srv/pillar/web/install.sls文件里bind的值
port: {{ pillar['port'] }} #取值为/srv/pillar/web/install.sls文件里port的值
[root@server9 srv]# vim salt/httpd/files/httpd.conf
Listen {{ bind }}:{{ port }} # 这里取的值是/srv/salt/httpd/install.sls文件里面定义的变量
[root@server9 httpd]# salt server10 state.sls httpd.install
/srv/salt/httpd/files/httpd.conf
/srv/salt/httpd/install.sls文件:
推送中显示的内容:说明端口已更改为8080
第二种方法:
[root@server9 httpd# vim lib.sls
{% set port = 80 %}
[root@server9 httpd]# vim files/httpd.conf
{% from 'httpd/lib.sls' import port with context %}
[root@server9 httpd]# salt server10 state.sls httpd.install
推送显示的内容:说明端口已更改为80
1504
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
